Define initial data for a new table dataset

When you create a new table dataset with the Table Editor you start by defining initial data. You have three options for initial data.

An index and source type combination - You can populate your new dataset with events associated with a combination of indexes and source types.

An existing dataset - Your dataset can get its initial data from a dataset that already exists. The dataset can be a table dataset, a data model dataset, a CSV lookup table, or a CSV lookup definition.

A search - You can base your dataset on the results of any search string, as long as it does not include transforming commands.

If you use Splunk Analytics for Hadoop and want to create a dataset based on data from a virtual index, you must get your initial data either from a search that references the virtual index or from an existing dataset that already has the virtual index data.

Identify an index and source type combination for initial data

In the Search & Reporting app, open the Datasets listing page.

Click Create New Table Dataset to go to the initial data setup screen of the Table Editor.

Select Indexes & Source Types.

Choose an index that you want to use for initial data. If you do not want to select a specific index, select All indexes.

Select a source type that you want to use for initial data. If you do not want to select a specific source type, select All source types.

If you select both All indexes and All source types, you risk creating an overly broad dataset that contains all of the events indexed by your Splunk implementation (with the exception of events in _internal and other internal indexes, which you must specify by name). In general you should avoid creating overly broad datasets. The datasets feature is designed for creating narrow views of data.

A preview of your dataset appears. Rows are events, columns are fields, and cells are field values.

(Optional) Click Add an index and one or more source types... to create a dataset that pulls data from more than one index and source type combination.

Select existing fields that you want to see in your dataset. Click OK when you are done.

Hover over a listed field to see field statistics, such as the percentage of events in the dataset that have the field, and the top values for the field.

(Optional) If you are not seeing a field choice that you are expecting, add the missing field.

At the bottom of the field list, click Add a missing existing field.

Enter the field and click Add.

Select the added field.

Use the dataset preview pane to verify that this is the initial data that you want. If you do not find the existing fields or field values that you were expecting you can remove this selection and select another one.

(Optional) If you are not sure whether the index and source type combination you have chosen contains the events you are looking for, change the Sample setting at the top of the preview pane to see random events from the dataset or select a new sample.

When you are satisfied that your index, source type, and field selections provide the correct initial data for your dataset, click Done to move on to the Table Dataset Editor.

Use an existing dataset for initial data

The Datasets tab lets you select an existing dataset for your initial data. You can select any dataset that you can otherwise see on the Datasets listing page, including data model datasets, lookup tables, and lookup definitions.

When you create a dataset that uses an existing dataset for initial data, you can choose between cloning and extending the existing dataset.

Click Create New Table Dataset to go to the initial data setup screen of the Table Editor.

Select Existing Datasets.

Select either Clone or Extend.

Selection

Description

Clone

Creates an identical copy of the original dataset. Only table datasets can be cloned.

Extend

Creates a dataset that is extended from an existing dataset. Changes made to the original dataset propagate down to the extended dataset. All dataset types can be extended.

If you are working with a lookup table file, select the fields that you want to use in your table.

The fields you select are the only fields that will make up your dataset, along with _raw and _time, which are required. You can hover over a field to see field statistics, such as the percentage of events in the dataset that have the field, and the top values for the field.

Table datasets, data model datasets, and lookup definitions have fixed fields. When you create a new dataset by cloning or extending a dataset with fixed fields, you do not get to choose which of those fields you want to start with in your dataset.

(Optional) If you are not seeing a field choice that you are expecting, add the missing field.

At the bottom of the field list, click Add a missing existing field.

Enter the field and click Add.

Select the added field.

Use the dataset preview pane to verify that this is the initial data that you want. If you do not find the existing fields or field values that you were expecting you can select a different dataset.

(Optional) If you are not sure whether the dataset you have chosen contains the events you are looking for, change the Sample setting at the top of the preview pane to see random events from the dataset or select a new sample.

When you are satisfied that your dataset selection provides the correct initial data for your dataset, click Done to move on to the Table Dataset Editor.

Provide a search string for initial data

There are four methods that you can follow to derive the search string for initial data. Once you provide the search string, the other initial data setup steps are the same.

The search string you provide must identify the fields that its search commands operate on. For example, a search that only includes commands like sendemail, highlight, or delete will be invalid because those commands do not require that you identify the fields that they operate upon.

Provide the full search string in the Table Editor

In the Search & Reporting app, open the Datasets listing page.

Click Create New Table Dataset to go to the initial data setup screen of the Table Editor.

Preview your dataset and select its starting fields

When you begin this task, you must have first used one of the previous four tasks to define the search string for your initial data.

After you define the search string for your initial data, press the Enter key on your keyboard or click the magnifying glass icon to run the search.

A preview of your dataset appears. Rows are events, columns are fields, and cells are field values. Update the search and run it again until you are satisfied with the results.

Select existing fields that you want to see in your dataset. Click OK when you are done.

Hover over a listed field to see field statistics, such as the percentage of events in the dataset that have the field, and the top values for the field.

(Optional) If you are not seeing a field choice that you are expecting, add the missing field.

At the bottom of the field list, click Add a missing existing field.

Enter the field and click Add.

Select the added field.

Use the dataset preview pane to verify that this is the initial data that you want. If you do not find the existing fields or field values that you were expecting you can modify the search.

(Optional) If you are not sure whether your search string will return the events you are looking for, change the Sample setting at the top of the preview pane to see random events from the dataset or select a new sample.

When you are satisfied that your index, source type, and field selections provide the correct initial data for your dataset, click Done to move on to the Table Dataset Editor.

Enter your email address, and someone from the documentation team will respond to you:

Send me a copy of this feedback

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.

0
out of 1000 Characters

Your Comment Has Been Posted Above

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »